CVE-2026-14631
Received Received - Intake

webpack-dev-server Process Termination via Malformed Headers

Vulnerability report for CVE-2026-14631, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-03

Last updated on: 2026-07-03

Assigner: openjs

Description

webpack-dev-server versions 5.2.5 and earlier terminate the whole Node.js process when an unauthenticated peer sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade to the default /ws endpoint with a malformed Origin header. The malformed value causes an uncaught exception in the host-validation path and crashes the dev server. Impact is limited to availability of the development server, no data disclosure, no code execution. Patches: upgrade to webpack-dev-server 5.2.6. Workarounds: keep the dev server bound to localhost (the default) and do not expose it to untrusted networks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-03
Last Modified
2026-07-03
Generated
2026-07-03
AI Q&A
2026-07-03
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
webpack webpack-dev-server to 5.2.6 (exc)
webpack webpack-dev-server 5.2.6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-248 An exception is thrown from a function, but it is not caught.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability affects webpack-dev-server versions 5.2.5 and earlier. It occurs when an unauthenticated attacker sends either a normal HTTP request with a malformed Host header or a WebSocket upgrade request to the default /ws endpoint with a malformed Origin header. These malformed headers cause an uncaught exception in the host-validation process, which crashes the entire Node.js development server process.

This is due to improper input validation and uncaught exceptions in the server code. The issue is fixed in version 5.2.6, where malformed headers are handled as invalid inputs instead of causing exceptions.

Compliance Impact

This vulnerability affects the availability of the webpack-dev-server by causing it to crash when receiving malformed headers from unauthenticated peers. However, it does not result in data disclosure or code execution.

Since the impact is limited to availability and there is no data breach or unauthorized access, the vulnerability does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal data.

Nevertheless, availability is a component of information security, and prolonged denial of service could indirectly impact compliance if critical development environments are disrupted. Mitigation involves upgrading to version 5.2.6 or restricting server exposure to trusted networks.

Impact Analysis

The impact of this vulnerability is limited to the availability of the webpack development server. An attacker can cause a denial of service by crashing the server, which stops it from running.

There is no risk of data disclosure or code execution from this vulnerability.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or unexpected terminations of the webpack-dev-server process when it receives malformed Host headers in HTTP requests or malformed Origin headers in WebSocket upgrade requests to the /ws endpoint.

To detect attempts to exploit this vulnerability on your network, you can capture and inspect HTTP and WebSocket traffic targeting the webpack-dev-server, looking specifically for malformed Host or Origin headers.

Example commands to monitor network traffic include:

  • Using tcpdump to capture traffic on port 8080 (default webpack-dev-server port): tcpdump -i any port 8080 -w capture.pcap
  • Using tshark to filter HTTP requests with malformed Host headers: tshark -r capture.pcap -Y 'http.host and (http.host matches "^.*[\x00-\x1F\x7F].*$")'
  • Using tshark to filter WebSocket upgrade requests with malformed Origin headers: tshark -r capture.pcap -Y 'http.websocket and http.origin and (http.origin matches "^.*[\x00-\x1F\x7F].*$")'

Additionally, monitoring the webpack-dev-server logs for uncaught exceptions or crashes related to host validation can help detect exploitation attempts.

Mitigation Strategies

The immediate steps to mitigate this vulnerability are:

  • Upgrade webpack-dev-server to version 5.2.6 or later, where the issue is fixed by treating malformed headers as invalid instead of throwing exceptions.
  • As a workaround, keep the webpack-dev-server bound to localhost (the default setting) to avoid exposure to untrusted networks.
  • Do not expose the development server to untrusted or public networks to reduce the risk of denial of service attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14631. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart